Hackers were able to access UK voter registers undetected for 15 months, the Electoral Commission said, raising questions about data security even as it played down fears about the impact on elections.
(Bloomberg) — Hackers were able to access UK voter registers undetected for 15 months, the Electoral Commission said, raising questions about data security even as it played down fears about the impact on elections.
“Hostile actors” could obtain the name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters, the commission said Tuesday, describing it as a “complex cyber attack.” The hackers first accessed Electoral Commission systems in August 2021, but the breach was not identified until October 2022.
While the commission said there was not a “high risk” to individuals, it highlights security risks surrounding sensitive digital records held by British institutions. Targeting the Electoral Commission is especially sensitive, and it moved quickly to try to allay concerns about the risk of vote manipulation.
“The attack has not had an impact on the electoral process,” the commission said in a separate question-and-answer page on its website. It said it doesn’t yet know who is responsible for the attack, and investigations are ongoing.
The National Cyber Security Centre, part of the government’s GCHQ listening post, warned this month that organizations should update their systems after a series of malicious cyber attacks in 2022.
“We are concerned about this situation,” Robert Jenrick, who attends Cabinet as immigration minister, told LBC radio on Wednesday. The commission has been working for several months with the National Crime Agency and the NCSC to “better understand who might have be behind this,” he said.
“I’m not able to speculate on that today,” Jenrick added.
The Electoral Commission said its email system was also compromised, though it has not yet been able to “know conclusively what files may or may not have been accessed,” Chief Executive Officer Shaun McNally said in the statement.
The organization warned that anyone who had been in contact with the commission or had registered to vote between 2014 and 2022 “should remain vigilant for unauthorized use or release of their personal data.”
It also explained the delay in disclosing the hack, saying it needed to take steps beforehand including removing the hackers from its systems, assessing the extent of the incident and understanding who might be affected.
(Updates with Jenrick comment in sixth paragraph.)
More stories like this are available on bloomberg.com
©2023 Bloomberg L.P.